I'm often asked how it is that internet use continues to grow so fast despite ever faster growing vulnerabilities -- security breaches, stolen data, identity theft, online fraud and more.
The short answer is that online security is "good enough" -- adequate for the risk represented by the value of the transactions. Consider credit cards. There is certainly theft and fraud, but various security measures, added over time to address new threats, kept losses at an acceptable level. Computer and online security seem to be following a similar path. The operating systems and browsers get new security features, patches and updates, often in response to some recently discovered or exploited vulnerability.
We've long been saying that this cycle of vulnerability exploitation and patch will never really end, and everything we've seen since then only reinforces this belief. And the complexity all those patches adds more vulnerabilities.
But what if the patch efforts fall behind? What happens when "good enough" just isn't good enough anymore? One could argue that identity theft is on the verge of becoming the manifestation of this risk. Many will be surprised to learn that in 2006, most identity theft was enabled by non-internet data collection. Online exploitation on a grand scale might cause an exponential increase in what is already one of the fastest growing consumer threats in the U.S.
It will take a new way of thinking about security, and new offerings that can isolate and close off broad categories of threat, so that "good enough" is still good enough when the stakes go up.
We have some ideas, and we're doing more than just thinking about them.
A version of this piece appears in Vantage, Vol. 5, No. 1, 2008, RSA's magazine on information security issues and trends.
See original article on scmagazineus.com
Online security: "good enough" may not be good enough anymore
By Jim Bidzos, vice chairman of the board, VeriSign on Apr 10, 2008 4:10PM